what it does: sober.p is a new mass-mailer worm that is spreading rapidly. it is distinguished from the previous variants of sober by its deletion of certain files on the system, including some related to security software.

the e-mail can be in either german or english, and contains an attachment of 53,554 bytes in .zip format with one of the following names:

account_info-text.zip

mail_info.zip

our_secret.zip

inside the zip file is an executable file named winzipped-text_data.txt with a second extension of either .exe or .pif.

e-mail addresses that contain the following strings:

.at

.li

gmx.

may receive the german version of the e-mail. others will receive the english version.

typical for a mailer worm, the program will scan the system for files with specific extensions and scan them for e-mail addresses. it will also discard e-mail addresses with certain strings in them, like 'spybot' or '@panda'.

the virus deletes files that match these criteria:

a*.exe

luc*.exe

ls*.exe

luu*.exe

mrt.exe

asw*.tmp

among these are the following files related to symantec's liveupdate facility:

aupdate.exe

lsetup.exe

lucomserver.exe

the virus creates a folder named status in the %windows%\connection wizard\ folder and then creates the following files in it (%windows% is the windows directory, usually c:\windows):

%windows%\connection wizard\status\csrss.exe

%windows%\connection wizard\status\services.exe

%windows%\connection wizard\status\smss.exe

the user or administrator may receive a firewall alert that one or more of these programs are attempting to access the internet.

these files are also created on the system:

%windows%\connection wizard\status\packed1.sbr

%windows%\connection wizard\status\packed2.sbr

%windows%\connection wizard\status\packed3.sbr

%windows%\connection wizard\status\voner1.von

%windows%\connection wizard\status\voner2.von

%windows%\connection wizard\status\voner3.von

%windows%\connection wizard\status\sacri1.ggg

%windows%\connection wizard\status\sacri2.ggg

%windows%\connection wizard\status\sacri3.ggg

%windows%\connection wizard\status\fastso.ber

%windows%\system32\adcmmmmq.hjg

%windows%\system32\langeinf.lin

%windows%\system32\nonrunso.ber

%windows%\system32\seppelmx.smx

%windows%\system32\xcvfpokd.tqa

it also sets itself to run automatically by adding the following value to the hkey_current_user\software\microsoft\windows\currentversion\run registry key:

"_winstart" = c:\winnt\connection wizard\status\services.exe

how to avoid it: use antivirus software and keep it updated. this isn't a cure-all, as we received copies of this virus when only a few antivirus vendors detected it. don't open attachments from strangers or even from friends, unless you know what they are and were expecting them. be on the lookout for files named with misleading extensions, by contrasting the extension name and the icon used.

how to remove it: boot into safe mode and remove the following value from the hkey_current_user\software\microsoft\windows\currentversion\run registry key: